European Court of Justice Safe Harbor Ruling—FAQ

On October 6, 2015, the European Court of Justice (ECJ) issued its decision in the case of Maximillian Schrems v. Data Protection Commissioner, finding that the U.S.-EU Safe Harbor Framework is invalid with immediate effect. The suspension of Safe Harbor affects many companies that need to transfer personal data from the European Union (EU) and the European Economic Area (EEA) to the United States and to other non-EU/EEA countries. Adobe has evaluated various options that will allow for the transfer of personal data from the EU/EEA to non-EU/EEA countries. Like many companies, Adobe has decided to authorize these personal data transfers using European Commission-approved Standard Contractual Clauses (also referred to as Model Contracts).

What did the European Court of Justice decide regarding the validity of the U.S.-EU Safe Harbor Framework?

On October 6, 2015, the European Court of Justice (ECJ) ruled that the 15-year-old Safe Harbor Framework between the U.S. and the EU that provided a legal basis for the transfer of personal data from the EU/EEA to the United States was invalid with immediate effect. At the time of the court decision, approximately 4,500 U.S. companies were certified, including many companies in the high technology sector. For more information on the Safe Harbor Framework, visit the U.S. Department of Commerce’s website.

What is the U.S.-EU Safe Harbor Framework?

The U.S.-EU Safe Harbor Framework was established in 2000 by the U.S. Department of Commerce in consultation with the European Commission to bridge the differences in approaches to privacy between the U.S. and the EU, and provide a streamlined process for the transfer of personal data from the EU/EEA to the U.S. Under Safe Harbor, eligible U.S. companies processing personal data collected in the EU/EEA could opt into the Safe Harbor program by self-certifying their adherence to the seven Safe Harbor principles and 15 frequently asked questions. These were designed to assist eligible organizations to comply with the EU Directive 95/46/EC on the protection of personal data and maintain the privacy and integrity of that data.

What do EU and EEA stand for?

The European Union (EU) is an economic and political partnership between 28 European countries that together cover much of the European continent. The European Economic Area (EEA) unites the EU Member States and the three EEA European Free Trade Association (EFTA) States (Iceland, Liechtenstein, and Norway) into an internal market governed by the same basic rules. These rules aim to enable goods, services, capital, and persons to move freely about the EEA in an open and competitive environment, a concept referred to as the four freedoms.

What does the Safe Harbor ruling by the European Court of Justice mean when it comes to the transfer of data from the EU/EEA to the U.S.?

If a U.S. company was certified under Safe Harbor, it is now required to find another approved method for transferring personal data from the EU/EEA to the U.S.

What is Adobe doing in regards to the decision by the European Court of Justice to invalidate the U.S.-EU Safe Harbor Framework?

Adobe has evaluated various options that will allow for the transfer of personal data from the EU/EEA to a non-EU/EEA country, such as the U.S.

Adobe has prepared a new Data Processing Agreement (DPA) for our enterprise customers, which includes Standard Contractual Clauses (SCCs), also referred to as Model Contracts. These SCCs provide a mechanism approved by the European Commission as offering adequate protection for data subjects when transferring personal data from the EU/EEA under the EU Data Protection Directive. If you are an Adobe enterprise customer transferring personal data in connection with Adobe cloud services from the EU/EEA to the U.S., please click here to request the new Data Processing Agreement and Standard Contractual Clauses.

What are Standard Contractual Clauses / Model Contracts?

Standard Contractual Clauses (SCCs), otherwise known as Model Contracts, are contract terms that have been approved by the European Commission (EC) as ensuring adequate protection for data subjects in accordance with the EU Data Protection Directive 95/46/EC when transferring personal data from the EU/EEA to non-EU/EEA countries, including to the U.S.

How does the decision to invalidate Safe Harbor affect my company’s use of Adobe products?

Prior to the decision by the European Court of Justice (ECJ), Adobe relied primarily on its certification to the Safe Harbor Framework to ensure adequate protection for the transfer of personal data from the EU/EEA to the U.S. Following the ECJ’s decision, Adobe has decided to authorize these personal data transfers using European Commission-approved Standard Contractual Clauses (also referred to as Model Contracts).

Adobe has prepared a new Data Processing Agreement (DPA) for our enterprise customers, which includes the Standard Contractual Clauses (SCCs) to provide a mechanism approved by the European Commission as offering adequate protection for data subjects when transferring personal data from the EU/EEA under the EU Data Protection Directive. If you are an Adobe enterprise customer transferring personal data in connection with Adobe cloud services from the EU/EEA to the U.S., please click here to request the new Data Processing Agreement and Standard Contractual Clauses.

As an Adobe customer, can I request that all of the personal data processed by Adobe be stored on Adobe’s servers in the EU/EEA?

While Adobe does have data centers located in the EU/EEA that can be used by some of our products and services, our cloud services may still require data to be transferred to the United States to provide some features. In addition, Adobe personnel may need access to data stored in the EU/EEA from a non-EU/EEA country to provide support services. Under EU law, any access to data residing in the EU/EEA by anyone located in a non-EU/EEA country triggers the rules of transfer to a non-EU/EEA country. As such, an agreement that includes the Standard Contractual Clauses (SCCs) may still be required even if your data is stored in the EU/EEA.

What if I have additional questions?

Adobe Safe Harbor Privacy Policy

Last updated: June 18, 2014

Adobe Inc. (our U.S. company) has certified to U.S.–E.U. Safe Harbor Framework and the U.S.–Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from our subsidiaries, corporate customers, and other business partners in the European Union member countries and Switzerland. To learn more about the Safe Harbor program, and to view the certification for Adobe Inc., visit http://www.export.gov/safeharbor.

This Adobe Safe Harbor Privacy Policy describes how we handle personal information (1) collected by Adobe subsidiaries, our corporate customers, and other business partners located in the European Economic Area (the EEA) and Switzerland, which is then transferred to Adobe Inc. in the United States; and (2) received from companies that use one of Adobe’s hosted services (learn more) who operate in the EEA and Switzerland and processed by Adobe Inc. in the United States on behalf of the company. This Safe Harbor Privacy Policy supplements the Adobe Privacy Policy.

Information collected by Adobe subsidiaries, corporate customers and business partners

Personal information

Adobe Inc. may receive personal information from Adobe subsidiaries (see list of Adobe entities and our acquired companies), our corporate customers, and other business partners in the EEA and Switzerland, such as name, email address, company name, title, postal address, telephone number, and preferences regarding our applications and websites. Any personal information sent to us may be used by Adobe Inc. and its subsidiaries and their agents and business partners for the purposes described at the time the information was collected. If you agree to receive email or telephone marketing from us, personal information we receive will also be used for those purposes, as described in the Adobe Privacy Policy. If we plan to use personal information for a purpose that is incompatible with these purposes or if we plan to disclose personal information to a kind of company not described here, we will seek your consent to such uses or disclosures.

Agents and service providers

Adobe Inc. works with several companies to help us deliver our services to you on our behalf. These companies provide services such as offering customer support, processing credit card payments, and sending emails on our behalf. In some cases, these companies will have access to some of your personal information in order to provide services to you on our behalf. They are not permitted to use your information for their own purposes. Adobe Inc. requires that its agents and service providers that have access to personal information received by Adobe Inc. from the EU or Switzerland subscribe to the Safe Harbor Privacy Principles, be subject to the EU Privacy Directive or another adequacy finding, or enter into a written agreement that requires them to provide at least the same level of privacy protection as is required by the relevant Safe Harbor Principles.

Adobe Inc. takes reasonable steps to ensure that your personal information we process is accurate, complete, and current by using the most recent information provided to us.

Accessing and updating your information

You can request to review, update, or delete your personal information.

Information processed by Adobe on behalf of a company using an Adobe hosted service

Adobe Inc. provides hosted services to companies (learn more). As part of providing these hosted services, Adobe Inc. may receive and process your personal information if you are a customer of one of these companies. When Adobe Inc. provides these services, we are referred to as a data processor. As a data processor, Adobe Inc. acts on the instructions of these companies and uses reasonable physical, electronic, and administrative safeguards to protect this personal information from loss; misuse; or unauthorized access, disclosure, alteration, or destruction. Companies that use an Adobe hosted service are responsible for complying with all other obligations in relation to the personal information they may collect from you.

Questions or concerns

If you have any complaints regarding our compliance with the Safe Harbor program, you should first contact us. If the complaint cannot be resolved through our internal dispute resolution process, you may submit your complaint to JAMS for mediation under the JAMS International Mediation Rules, which are accessible on the JAMS website at www.jamsadr.com.

Changes or updates

This policy may be changed from time to time as permitted under the Safe Harbor program. Learn more.